Spring security @secure not working with role hierarchy in Grails

Question

My Grails is 2.2.1 Java 1.7 Spring-security-core 1.2.7.3 Spring-security-ui 0.2

Similar to the issue in Spring security @secure not working with role hierarchy the security hierarchy is not being respected.

I have three user roles ROLE_ADMIN, ROLE_USER, ROLE_USER_NOT_CONFIRMED

Based on the Spring documentation http://grails-plugins.github.io/grails-spring-security-core/guide/hierarchicalRoles.html

I added the following code into the Config.groovy:

grails.plugin.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_USER
'''

and based on Grails: SpringSecurity roleHierarchy not working as expected I tried:

grails.plugin.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_USER
    ROLE_USER > ROLE_USER_NOT_CONFIRMED
'''

I'm not what the syntax is to add DefaultMethodSecurityExpressionHandler in grails or if it is required.

In a Controller Method I preface with @Secured(['ROLE_USER']) and when I'm logged in as ROLE_ADMIN it throws a permissions error.

Abincepto Abincepto · Accepted Answer · 2014-09-19T16:54:22

I think this configuration is ok for the new release of the plugin (version 2.0). Could you try to modify your config with this code ('s' after plugin):

grails.plugins.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_USER
    ROLE_USER > ROLE_USER_NOT_CONFIRMED
'''

Hope that helps.

Spring security @secure not working with role hierarchy in Grails

1 Answers